# Unable to Ping Network Gateway From VM With Security Group Enabled ## Problem * Unable to Ping Network Gateway From VM With Security Group Enabled ```bash $ ping ``` * This behaviour is observed when the security group attached does not have Ingress rule defined. ## Environment * Private Cloud Director Virtualization - v2025.4 and Higher * Self-Hosted Private Cloud Director Virtualization – v2025.4 and Higher * Component - Networking ## Cause * When using a security group, inbound rule in the Security Group is not defined to allow the incoming traffic. ## Resolution * To allow the incoming traffic for the Tenant Network Gateway IP, add the rule in the Security Group. * Steps to add ingress rule in the security group 1. Identify the security group UUID. 2. Run the below command to add the ingress rule to allow all incoming traffic. ```bash $ openstack security group rule create \\ --protocol any \\ --ethertype IPv4 \\ --direction ingress \\ --remote-ip 0.0.0.0_0 ``` ## Additional Information * No additional action needs to be performed on the virtual machine or security group. * Ingress Rule is required for the ping to be successful. Refer this [Upstream Documentation](https://docs.openstack.org/nova/latest/user/security-groups.html). * To understand Logical Tracing of the ONV Packet Flow, Refer this[ Upstream Documentation](https://docs.ovn.org/en/latest/tutorials/ovn-openstack.html#logical-tracing). * To run `ovn-*` commands on the hosts onboarded to PCD, execute below steps. 1. Create an environment file `ovs-alias.rc` as below ```bash EXTERNAL_ID=$(sudo ovs-vsctl get open . external_ids:ovn-remote | awk -F: '{print $2}') export NBDB=tcp:${EXTERNAL_ID}:6641 export SBDB=tcp:${EXTERNAL_ID}:6642 alias ovn-sbctl="ovn-sbctl --db=$SBDB" alias ovn-nbctl="ovn-nbctl --db=$NBDB" alias ovn-trace="ovn-trace --db=$SBDB" ``` 2. Export the rc file and start using the ovn commands; ```bash $ source ovs-alias.rc $ ovn-nbctl ls-list ``` {% hint style="info" %} `ovn` commands can also be executed from inside the OVN North Bond Pod on the Management Cluster. Only Self-Hosted Private Cloud Director Virtualization users can run the below steps. {% endhint %} 1. Access the OVN North Bond Pod in the Management Cluster using the below command. ```bash $ kubectl -n exec -it -- bash --kubeconfig ``` 2. Run the below command to validate. ```bash $ ovn-trace neutron- 'inport=="" && eth.src== && ip4.src== && ip4.dst== && icmp' ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://platform9.com/kb/pcd/networking/unable-to-ping-network-gateway-from-vm-with-security-group-enabled.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.